Ukusukela ekupheleni konyaka ophelileyo, saqala ukulandelela iphulo elitsha elikhohlakeleyo lokusasaza iTrojan yebhanki. Abahlaseli bagxininise ekulahlekeni kweenkampani zaseRashiya, oko kukuthi abasebenzisi beenkampani. Iphulo elibi lalisebenza ubuncinci unyaka kwaye, ukongeza kwiTrojan yebhanki, abahlaseli babhenela ekusebenziseni ezinye izixhobo zesoftware. Ezi ziquka umlayishi okhethekileyo opakishwe kusetyenziswa , kunye ne-spyware, eguqulwe njenge-software eyaziwayo esemthethweni yeYandex Punto. Nje ukuba abahlaseli bakwazile ukubeka esichengeni ikhompyuter yexhoba, bafaka i-backdoor kunye neTrojan yebhanki.
Kwi-malware yabo, abahlaseli basebenzise iziqinisekiso ezininzi ezisebenzayo (ngelo xesha) kunye neendlela ezikhethekileyo zokugqitha iimveliso ze-AV. Iphulo elibi lijolise kwinani elikhulu leebhanki zaseRashiya kwaye linomdla ngokukodwa kuba abahlaseli basebenzisa iindlela ezihlala zisetyenziswa ekuhlaselweni okujoliswe kuyo, oko kukuthi ukuhlaselwa okungakhuthazwa kuphela ngobuqhetseba bemali. Sinokuphawula ukufana okuthile phakathi kweli phulo likhohlakeleyo kunye nesiganeko esikhulu esathi sabhengezwa kakhulu ngaphambili. Sithetha ngeqela le-cybercriminal elisebenzisa iTrojan yebhanki /.
Abahlaseli bafake i-malware kuphela kwiikhomputha ezisebenzisa ulwimi lwesiRashiya kwi-Windows (indawo) ngokungagqibekanga. I-vector engundoqo yokusabalalisa yeTrojan yayiluxwebhu lwe-Word kunye ne-exploit. , eyathunyelwa njengeqhotyoshelweyo kuxwebhu. Le mifanekiso ingezantsi ibonisa inkangeleko yaloo maxwebhu omgunyathi. Uxwebhu lokuqala lunesihloko esithi "Invoyisi No. 522375-FLORL-14-115.doc", kunye neyesibini "kontrakt87.doc", yikopi yesivumelwano sokubonelela ngeenkonzo zonxibelelwano ngumqhubi weselula uMegafon.
Irayisi. 1. Uxwebhu lokurhwaphiliza.
Irayisi. 2. Olunye uhlengahlengiso loxwebhu lokukhohlisa.
Ezi zibakala zilandelayo zibonisa ukuba abahlaseli babejolise kumashishini aseRashiya:
- ukuhanjiswa kwe-malware usebenzisa amaxwebhu omgunyathi kwisihloko esichaziweyo;
- amaqhinga abahlaseli kunye nezixhobo ezikhohlakeleyo abazisebenzisayo;
- amakhonkco kwizicelo zoshishino kwezinye iimodyuli eziphunyeziweyo;
- amagama eendawo ezinobungozi ezisetyenziswe kweli phulo.
Izixhobo zesoftware ezikhethekileyo abahlaseli bazifaka kwinkqubo ephazamisekileyo zibavumela ukuba bafumane ulawulo olukude lwenkqubo kwaye babeke iliso kumsebenzi womsebenzisi. Ukwenza le misebenzi, bafaka i-backdoor kwaye bazama ukufumana igama lokugqitha leakhawunti yeWindows okanye benze iakhawunti entsha. Abahlaseli baphinde babhenele kwiinkonzo zelogger (keylogger), i-Windows clipboard stealer, kunye nesoftware ekhethekileyo yokusebenza ngamakhadi ahlakaniphile. Eli qela lazama ukuthomalalisa ezinye iikhompyuter ezazikuthungelwano lwasekhaya olufanayo njengekhompyuter yexhoba.
Inkqubo yethu ye-telemetry ye-ESET LiveGrid, esivumela ukuba silandele ngokukhawuleza izibalo zokusasazwa kwe-malware, isinike izibalo ezinomdla zendawo ekusasazeni i-malware esetyenziswa ngabahlaseli kwiphulo elikhankanyiweyo.
Irayisi. 3. Iinkcukacha-manani ngokusasazwa ngokwejografi kwe-malware esetyenziswe kweli phulo likhohlakeleyo.
Kuhlohlwa i-malware
Emva kokuba umsebenzisi evule uxwebhu olukhohlakeleyo ngokuxhaphaza kwinkqubo esengozini, umkhupheli okhethekileyo opakishwe usebenzisa i-NSIS uya kukhutshelwa kwaye asetyenziswe apho. Ekuqaleni komsebenzi wayo, inkqubo ijonga imeko yeWindows malunga nobukho bee-debuggers apho okanye ekusebenzeni kumxholo womatshini obonakalayo. Ikwajonga ukwenzeka kweWindows nokuba ngaba umsebenzisi uye wandwendwela ii-URL ezidweliswe ngezantsi kwitheyibhile kwisikhangeli. Ii-APIs zisetyenziselwa oku FumanaFirst/NextUrlCacheEntry kunye neSoftwareMicrosoftInternet ExplorerTypedURLs iqhosha lokubhalisa.
I-bootloader ijonga ubukho bezi zicelo zilandelayo kwisixokelelwano.
Uluhlu lweenkqubo luyamangalisa ngokwenene kwaye, njengoko ubona, alubandakanyi kuphela izicelo zebhanki. Umzekelo, ifayile ephunyezwayo enegama elithi "scardsvr.exe" ibhekisa kwisoftware yokusebenza ngamakhadi ahlakaniphile (iMicrosoft SmartCard reader). I-Trojan yebhanki ngokwayo iquka ukukwazi ukusebenza ngamakhadi ahlakaniphile.
Irayisi. 4. Umzobo ngokubanzi wenkqubo yokufakela i-malware.
Ukuba zonke iitshekhi zigqitywe ngempumelelo, umlayishi ukhuphela ifayile ekhethekileyo (i-archive) esuka kwiseva ekude, equlethe zonke iimodyuli ezisebenzisekayo ezinobungozi ezisetyenziswa ngabahlaseli. Kunika umdla ukuqaphela ukuba ngokuxhomekeke ekwenziweni kolu vavanyo lungentla, iindawo zokugcina ezikhutshelweyo zikhutshelwa kude kwiseva yeC&C zinokwahluka. Indawo yogcino-mpepha inokuba nentiyo okanye ingabikho. Ukuba akukho lunya, ihlohla iWindows Live Toolbar yomsebenzisi. Okunokwenzeka, abahlaseli baye babhenela kumaqhinga afanayo ukukhohlisa iinkqubo zokuhlalutya iifayile ezizenzekelayo kunye noomatshini ababonakalayo apho iifayile ezikrokrelayo zibulawa.
Ifayile ekhutshelwe ngumkhupheli we-NSIS yindawo yokugcina ye-7z equlethe iimodyuli ezahlukeneyo ze-malware. Umfanekiso ongezantsi ubonisa yonke inkqubo yofakelo yale malware kunye neemodyuli zayo ezahlukeneyo.
Irayisi. 5. Iskimu ngokubanzi sendlela esebenza ngayo i-malware.
Nangona iimodyuli ezilayishiweyo zisebenza ngeenjongo ezahlukeneyo kubahlaseli, zipakishwe ngokufanayo kwaye uninzi lwazo zasayinwa ngezatifikethi zedijithali ezisebenzayo. Sifumene izatifikethi ezine ezinje ezisetyenziswe ngabahlaseli kwasekuqaleni kwephulo. Ukulandela isikhalazo sethu, ezi zatifiketi zarhoxiswa. Kuyathakazelisa ukuqaphela ukuba zonke izatifikethi zanikezelwa kwiinkampani ezibhaliswe eMoscow.
Irayisi. 6. Isatifikethi sedijithali esisetyenziselwe ukusayina i-malware.
Le theyibhile ilandelayo ichaza izatifikethi zedijithali ezisetyenziswe ngabahlaseli kweli phulo likhohlakeleyo.
Phantse zonke iimodyuli ezinobungozi ezisetyenziswa ngabahlaseli zinenkqubo yokufakela efanayo. Bazikhuphela ngokwabo oovimba be-7zip abakhuselwe ngegama eliyimfihlo.
Irayisi. 7. Isiqwenga sefayile yebhetshi ye-install.cmd.
Ifayile ye-batch .cmd inoxanduva lokufakela i-malware kwisistim kwaye iqalise izixhobo ezahlukeneyo zomhlaseli. Ukuba ukubulawa kufuna amalungelo alahlekileyo olawulo, ikhowudi ekhohlakeleyo isebenzisa iindlela ezininzi ukuzifumana (idlula i-UAC). Ukuzalisekisa indlela yokuqala, iifayile ezimbini eziphunyeziweyo ezibizwa ngokuba yi-l1.exe kunye ne-cc1.exe zisetyenzisiweyo, ezigxile ekugqithiseni i-UAC ngokusebenzisa i-. Ikhowudi yomthombo weCarberp. Enye indlela isekwe ekusebenziseni ubungozi be-CVE-2013-3660. Imodyuli nganye ye-malware efuna ukunyuswa kwamalungelo iqulethe zombini i-32-bit kunye ne-64-bit version ye-exploit.
Ngelixa silandelela eli phulo, sihlalutye oovimba abaninzi abalayishwe ngumkhuphi. Imixholo yogcino lwahluka, okuthetha ukuba abahlaseli banokuhlengahlengisa iimodyuli ezikhohlakeleyo ngeenjongo ezahlukeneyo.
Ukuchasana komsebenzisi
Njengoko sichazile ngasentla, abahlaseli basebenzisa izixhobo ezikhethekileyo zokunciphisa iikhompyuter zabasebenzisi. Ezi zixhobo ziquka iinkqubo ezinamagama efayile aphunyezwayo mimi.exe kunye ne xtm.exe. Banceda abahlaseli bathathe ulawulo lwekhompyuter yexhoba kwaye bagxile ekwenzeni le misebenzi ilandelayo: ukufumana / ukubuyisela iiphasiwedi kwiiakhawunti zeWindows, ukunika amandla inkonzo yeRDP, ukudala iakhawunti entsha kwi-OS.
I-mimi.exe ephunyeziweyo iquka uguqulelo olulungisiweyo lwesixhobo esaziwayo somthombo ovulekileyo . Esi sixhobo sikuvumela ukuba ufumane amagama ayimfihlo eakhawunti yomsebenzisi weWindows. Abahlaseli basuse inxalenye kwi-Mimikatz ejongene nokusebenzisana komsebenzisi. Ikhowudi ephunyeziweyo nayo ilungisiwe ukuze xa isungulwa, iMimikatz izakuqhuba ngelungelo::debug kunye nokurlsa:logonPasswords imiyalelo.
Enye ifayile ephunyezwayo, i-xtm.exe, isungula izikripthi ezikhethekileyo ezenza inkonzo ye-RDP kwisistim, zama ukwenza i-akhawunti entsha kwi-OS, kwaye kwakhona utshintshe izicwangciso zenkqubo ukuvumela abasebenzisi abaninzi ukuba baxhumeke ngaxeshanye kwikhompyuter echithiweyo nge-RDP. Ngokucacileyo, la manyathelo ayimfuneko ukufumana ulawulo olupheleleyo lwenkqubo ethotyiweyo.
Irayisi. 8. Imiyalelo eyenziwa ngu xtm.exe kwisixokelelwano.
Abahlaseli basebenzisa enye ifayile ephunyezwayo ebizwa ngokuba yi-impack.exe, esetyenziselwa ukufaka isoftware ekhethekileyo kwisistim. Le software ibizwa ngokuba yi-LiteManager kwaye isetyenziswa ngabahlaseli njenge-backdoor.
Irayisi. 9. I-interface ye-LiteManager.
Nje ukuba ifakwe kwinkqubo yomsebenzisi, i-LiteManager ivumela abahlaseli ukuba baqhagamshele ngokuthe ngqo kuloo nkqubo kwaye bayilawule ukude. Le software ineeparamitha zomgca womyalelo okhethekileyo wofakelo olufihliweyo, ukudala imithetho ekhethekileyo ye-firewall, kunye nokusungula imodyuli yayo. Zonke iiparameters zisetyenziswa ngabahlaseli.
Imodyuli yokugqibela yephakheji ye-malware esetyenziswa ngabahlaseli yinkqubo ye-malware yebhanki (ibhanki) enegama lefayile ephunyeziweyo pn_pack.exe. Usebenza ngokukhethekileyo ekuhloleni umsebenzisi kwaye unoxanduva lokunxibelelana nomncedisi weC&C. Umbhanki uqaliswa usebenzisa isoftware yeYandex Punto esemthethweni. IPunto isetyenziswa ngabahlaseli ukuphehlelela amathala eencwadi eDLL akhohlakeleyo (indlela yokuLayisha ecaleni kweDLL). I-malware ngokwayo inokwenza le misebenzi ilandelayo:
- landelela izitshixo zebhodi yezitshixo kunye nemixholo yebhodi eqhotyoshwayo kuthumelo lwazo olulandelayo kwiseva ekude;
- dwelisa onke amakhadi ahlakaniphile akhoyo kwisistim;
- Sebenzisana neseva yeC&C ekude.
Imodyuli ye-malware, enoxanduva lokwenza yonke le misebenzi, yilayibrari ye-DLL efihliweyo. Ikhutshiwe kwaye ilayishwe kwinkumbulo ngexesha lokwenziwa kwePunto. Ukwenza le misebenzi ingentla, ikhowudi ephunyeziweyo ye-DLL iqala imisonto emithathu.
Inyani yokuba abahlaseli bakhethe isoftware yePunto ngeenjongo zabo ayimangalisi: ezinye iiforamu zaseRussia zibonelela ngokuvulelekileyo ngolwazi oluneenkcukacha kwizihloko ezinjengokusebenzisa iziphene kwisoftware esemthethweni ukuthomalalisa abasebenzisi.
Ilayibrari ekhohlakeleyo isebenzisa i-algorithm ye-RC4 ukufihla imitya yayo, kunye nangexesha lonxibelelwano lwenethiwekhi kunye nomncedisi weC&C. Iqhagamshelana nomncedisi rhoqo kwimizuzu emibini kwaye idlulisela khona yonke idatha eqokelelwe kwi-system ye-compromised ngeli xesha lexesha.
Irayisi. 10. Iqhekeza lentsebenziswano yenethiwekhi phakathi kwebhot kunye nomncedisi.
Ngezantsi eminye yemiyalelo yeseva yeC&C enokufunyanwa lithala leencwadi.
Ukuphendula ekufumaneni imiyalelo evela kumncedisi weC & C, i-malware iphendula ngekhowudi yesimo. Kuyathakazelisa ukuqaphela ukuba zonke iimodyuli zebhanki esizihlalutyileyo (eyona nto yakutshanje kunye nomhla wokuhlanganiswa kweJanuwari 18) iqulethe umtya othi "TEST_BOTNET", othunyelwa kumyalezo ngamnye kwi-C & C iseva.
isiphelo
Ukuthomalalisa abasebenzisi benkampani, abahlaseli kwinqanaba lokuqala babeka esichengeni umsebenzi omnye wenkampani ngokuthumela umyalezo wokukhohlisa kunye nokuxhaphaza. Okulandelayo, xa i-malware ifakiwe kwinkqubo, baya kusebenzisa izixhobo zesoftware eziya kubanceda bandise igunya labo kwinkqubo kwaye benze imisebenzi eyongezelelweyo kuyo: ukuthomalalisa ezinye iikhompyuter kwinethiwekhi yenkampani kunye nokuhlola umsebenzisi, ngokunjalo. iintengiselwano zebhanki azenzayo.
umthombo: www.habr.com